So Yesterday You Were Breached

There is something pathetically optimistic about cybersafety. There is something quietly unsettling about cybersecurity. There’s something nauseously helpless about being breached.

Role play: You’re the person in charge!

Then it happens. Despite the cybersafety. Despite the cybersecurity. Despite having the best security practices checklist - you got breached yesterday. So now what, boss?

Let’s take a step back. First, according to the numbers, you’re not likely to be in charge of a place with deep enough pockets to shrug it off. You’re also not likely to even have a security professional on your staff. Really, the numbers say that statistically you won’t even have more than one IT professional on staff. So, let’s write this for you, the 95% who are doing some kind of business from banking to sales, over the Internet, but have no cybersecurity people on staff.

However, if you happen to be reading this and are part of the other 5% who work in the warm, safe, comforting lap of Internet security luxury, there’s a 95% chance that your security will still be understaffed and your feelings of safety are highly over-rated. So maybe you should keep reading anyway. And there’s punch and pie at the end.

So, to reiterate, you are told that you got breached yesterday. Now what?

Let’s hope you’re reading this because it hasn’t happened yet and you want to know. If not, then sorry, and this is your plan. So skip to the checklist and read fast. Otherwise, read through this twice, especially the funny bit about raccoons, and then copy/paste the checklist below to the document called Incident Response Plan, print it, and hang it up on the wall, preferably on a clipboard with a pencil on a string. Any string will do.

Stop obsessing about the string.

Step-By-Step Incident Response Plan

Well, the first thing you should know is that your goal is to make right now the best security in your life, regardless of what happened yesterday. So, your first order of business is to get facts. Yes, facts. You don’t want to know now why it happened, where it came from, or anything else that will give you existential peace. You want facts.

Only facts will help you make the best security of your life now to keep your business running without further incident. So, any “Umm, we believe” that you hear from anyone gets shut down fast. Any rumors, theories, or opinions can go to hell. Most of that won’t be true and even more of it, like 100% of it, doesn’t matter now. You’re in crisis mode and all you need now is a crisis sandwich of facts.

1. Did you get breached, yes or no?What information do you have that factually and concretely shows that a data loss of some kind has happened? Are systems inexplicably down? Has stuff been wiped from drives? Has data been changed? Is there money missing from a bank account? Find out what the breach is.

2. Take that answer and put it at the top of a clean whiteboard. That is fact 1. That is what you know. Draw a line down the center of the board under that. On the left you put facts. On the right you put ideas.

3. Time is everything, so you want to be more ambulance-driving first responder than medical examiner. If this was a snake bite, know where the bite is then apply the tourniquet. Address the facts you have. Take it off the network. Block public access to it. Change all passwords and set it so everyone has to change their passwords on all systems. If you have to deal with a third party, to lock things down like bank accounts and partner network access, do it now.

4. Make an extremely quick review of other major assets you have on the network that you can afford to isolate for a few days as well. By the way, assets that include other people’s personal data (employees, customers, partners) are ALWAYS a major asset whether you think so or not.

5. Now that you’ve stopped the spread of the poison, you need to know what kind of poison it is. Don’t expect to capture and identify the snake though. Many, many, many organizations have tried and often fail. Sure, they’ll lie and pretend they know, but mostly they don’t. So don’t bother. Instead focus on knowing the type of bite and where the snake got in. Replace the attacked system so you can work on it. If you can do so properly, you may not need to replace it if you can clone it for later forensic review. There are some important steps required in forensics to make a chain of custody, so don’t do anything to the machine in terms of cloning unless you know what you want to or need to do legally.

6. At this point, consider bringing in an outside professional security team. You need someone who can do the forensics on systems and the network that can be accepted by a court – not everyone can do this. You need someone who can help repair the poisoned system. You need someone who can analyze your security so there’s no repeat incident.

7. Also consider hiring outside legal counsel. You need someone who knows the law about notification and the paperwork that comes from a breach, depending on what was stolen or damaged. You may need to act on some of the legal reporting on day one, so don’t put this part off. You may also need to call in law enforcement and make an official report. Make sure your lawyer knows what to do.

8. Review system logs from the attacked system and the devices leading up to it. Talk to people in charge of maintaining that system. Talk to people near the incident. Review network traffic, both the saved and the ones in real time. Fill your whiteboard with what you know and what you think you know - that’s why you have that line down the middle. Don’t stop until you know enough about what was stolen or damaged and how to call your insurance company.

9. Call your insurance company.

10. Next, call your lawyer. Tell them what you know and told your insurance company. You may need to report this publicly based on the type of information stolen.

11. Get a Public Relations company. If you can’t find one with security breach reporting experience, find one that has success with either: A. political smear campaigns, or B. large factory lay-offs. While they’re not the same thing in terms of incident, they’re the same thing in managing an angry, desperate public.

12. With the support of your PR company, notify all external users that you are making a security sweep and have changed all user passwords everywhere, and set it so everyone has to change their passwords on all systems. Your PR company will know what you should say based on what you know at this time.

13. Get a full network security audit and analysis. Make sure you have OSSTMM certified people doing it. Better yet, sign up for annual reviews. The OSSTMM is a different way of looking at security, and it really is the only way you can make sure you stay secure.

14. Make sure your IT people get good security training. Have them read the Open Source Security Testing Methodology Manual or give them time to do the lessons in Hacker Highschool, both free and open source projects that will greatly increase their security know-how. If you’re a small shop then you may want to encourage all your employees to read through Hacker Highschool. It’s solid cybersafety stuff.

15. Learn from the breach. Make mandatory trainings or support groups that help employees know what you learned. Use a bug bounty service. Make positive changes. Improve your security incrementally, every day. Know what happens on your network at all times. Know what your systems are doing. Know what services you have open. Security is a daily chore that gets easier over time especially if you remain consistent and committed. Let’s make sure this doesn’t happen again.

These following steps are only in the case you lost personal identifying information or are required to make a public report for the breach:

16. If you need to publicly file the breach, call your Public Relations firm for help with telling the world the news. Get ahead of bad news, don’t just ignore it.

17. Deal with the public. Offer real solutions. Provide real support. You lost their irreplaceable, nostalgic stuff so make good on it. Yes, there’s nothing more nostalgic than your identity. If you don’t believe me, try losing yours. It sucks.

18. Work with the necessary regulatory agencies and show commitment to security. Nobody expects you to have perfect security but they do expect you to have perfectly handled your security breach.

That’s it. That’s what you do in that order. Even better, do all you can to prevent an incident like this from happening in the first place.

And seriously, the type of string doesn’t matter. Let it go already.

Share It:

About The Author

Pete HerzogPete knows how to solve very complex security problems. He's co-founder of the Institute for Security and Open Methodologies (ISECOM). He created the OSSTMM, the international standard on security testing and analysis, Hacker Highschool, cybersecurity for teens, and the Cybersecurity Playbook, practical cyberdefense for everyone else. Author's Bio